diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | auth-pam.c | 10 | ||||
| -rw-r--r-- | auth.h | 1 | ||||
| -rw-r--r-- | auth2-none.c | 19 | ||||
| -rw-r--r-- | auth2.c | 15 | ||||
| -rw-r--r-- | monitor.c | 3 | ||||
| -rw-r--r-- | monitor_wrap.c | 5 |
7 files changed, 47 insertions, 12 deletions
| @@ -6,6 +6,10 @@ | |||
| 6 | - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. | 6 | - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. |
| 7 | - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] | 7 | - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] |
| 8 | Make cygwin code more consistent with that which surrounds it | 8 | Make cygwin code more consistent with that which surrounds it |
| 9 | - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] | ||
| 10 | Bug #892: Send messages from failing PAM account modules to the client via | ||
| 11 | SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with | ||
| 12 | SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ | ||
| 9 | 13 | ||
| 10 | 20040830 | 14 | 20040830 |
| 11 | - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only | 15 | - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only |
| @@ -1725,4 +1729,4 @@ | |||
| 1725 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 1729 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 1726 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 1730 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 1727 | 1731 | ||
| 1728 | $Id: ChangeLog,v 1.3543 2004/09/11 12:42:09 djm Exp $ | 1732 | $Id: ChangeLog,v 1.3544 2004/09/11 13:07:03 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 4ad86de9e..0a6817d63 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -47,7 +47,7 @@ | |||
| 47 | 47 | ||
| 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
| 49 | #include "includes.h" | 49 | #include "includes.h" |
| 50 | RCSID("$Id: auth-pam.c,v 1.116 2004/09/11 12:28:02 dtucker Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.117 2004/09/11 13:07:03 dtucker Exp $"); |
| 51 | 51 | ||
| 52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
| 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
| @@ -572,7 +572,7 @@ sshpam_init(Authctxt *authctxt) | |||
| 572 | } | 572 | } |
| 573 | debug("PAM: initializing for \"%s\"", user); | 573 | debug("PAM: initializing for \"%s\"", user); |
| 574 | sshpam_err = | 574 | sshpam_err = |
| 575 | pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); | 575 | pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); |
| 576 | sshpam_authctxt = authctxt; | 576 | sshpam_authctxt = authctxt; |
| 577 | 577 | ||
| 578 | if (sshpam_err != PAM_SUCCESS) { | 578 | if (sshpam_err != PAM_SUCCESS) { |
| @@ -804,11 +804,13 @@ finish_pam(void) | |||
| 804 | u_int | 804 | u_int |
| 805 | do_pam_account(void) | 805 | do_pam_account(void) |
| 806 | { | 806 | { |
| 807 | debug("%s: called", __func__); | ||
| 807 | if (sshpam_account_status != -1) | 808 | if (sshpam_account_status != -1) |
| 808 | return (sshpam_account_status); | 809 | return (sshpam_account_status); |
| 809 | 810 | ||
| 810 | sshpam_err = pam_acct_mgmt(sshpam_handle, 0); | 811 | sshpam_err = pam_acct_mgmt(sshpam_handle, 0); |
| 811 | debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); | 812 | debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, |
| 813 | pam_strerror(sshpam_handle, sshpam_err)); | ||
| 812 | 814 | ||
| 813 | if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { | 815 | if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { |
| 814 | sshpam_account_status = 0; | 816 | sshpam_account_status = 0; |
| @@ -838,7 +840,7 @@ void | |||
| 838 | do_pam_setcred(int init) | 840 | do_pam_setcred(int init) |
| 839 | { | 841 | { |
| 840 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 842 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
| 841 | (const void *)&null_conv); | 843 | (const void *)&store_conv); |
| 842 | if (sshpam_err != PAM_SUCCESS) | 844 | if (sshpam_err != PAM_SUCCESS) |
| 843 | fatal("PAM: failed to set PAM_CONV: %s", | 845 | fatal("PAM: failed to set PAM_CONV: %s", |
| 844 | pam_strerror(sshpam_handle, sshpam_err)); | 846 | pam_strerror(sshpam_handle, sshpam_err)); |
| @@ -137,6 +137,7 @@ void do_authentication2(Authctxt *); | |||
| 137 | 137 | ||
| 138 | void auth_log(Authctxt *, int, char *, char *); | 138 | void auth_log(Authctxt *, int, char *, char *); |
| 139 | void userauth_finish(Authctxt *, int, char *); | 139 | void userauth_finish(Authctxt *, int, char *); |
| 140 | void userauth_send_banner(const char *); | ||
| 140 | int auth_root_allowed(char *); | 141 | int auth_root_allowed(char *); |
| 141 | 142 | ||
| 142 | char *auth2_read_banner(void); | 143 | char *auth2_read_banner(void); |
diff --git a/auth2-none.c b/auth2-none.c index 787458dad..1c30a3203 100644 --- a/auth2-none.c +++ b/auth2-none.c | |||
| @@ -74,6 +74,19 @@ auth2_read_banner(void) | |||
| 74 | return (banner); | 74 | return (banner); |
| 75 | } | 75 | } |
| 76 | 76 | ||
| 77 | void | ||
| 78 | userauth_send_banner(const char *msg) | ||
| 79 | { | ||
| 80 | if (datafellows & SSH_BUG_BANNER) | ||
| 81 | return; | ||
| 82 | |||
| 83 | packet_start(SSH2_MSG_USERAUTH_BANNER); | ||
| 84 | packet_put_cstring(msg); | ||
| 85 | packet_put_cstring(""); /* language, unused */ | ||
| 86 | packet_send(); | ||
| 87 | debug("%s: sent", __func__); | ||
| 88 | } | ||
| 89 | |||
| 77 | static void | 90 | static void |
| 78 | userauth_banner(void) | 91 | userauth_banner(void) |
| 79 | { | 92 | { |
| @@ -84,12 +97,8 @@ userauth_banner(void) | |||
| 84 | 97 | ||
| 85 | if ((banner = PRIVSEP(auth2_read_banner())) == NULL) | 98 | if ((banner = PRIVSEP(auth2_read_banner())) == NULL) |
| 86 | goto done; | 99 | goto done; |
| 100 | userauth_send_banner(banner); | ||
| 87 | 101 | ||
| 88 | packet_start(SSH2_MSG_USERAUTH_BANNER); | ||
| 89 | packet_put_cstring(banner); | ||
| 90 | packet_put_cstring(""); /* language, unused */ | ||
| 91 | packet_send(); | ||
| 92 | debug("userauth_banner: sent"); | ||
| 93 | done: | 102 | done: |
| 94 | if (banner) | 103 | if (banner) |
| 95 | xfree(banner); | 104 | xfree(banner); |
| @@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); | |||
| 35 | #include "dispatch.h" | 35 | #include "dispatch.h" |
| 36 | #include "pathnames.h" | 36 | #include "pathnames.h" |
| 37 | #include "monitor_wrap.h" | 37 | #include "monitor_wrap.h" |
| 38 | #include "buffer.h" | ||
| 38 | 39 | ||
| 39 | #ifdef GSSAPI | 40 | #ifdef GSSAPI |
| 40 | #include "ssh-gss.h" | 41 | #include "ssh-gss.h" |
| @@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); | |||
| 44 | extern ServerOptions options; | 45 | extern ServerOptions options; |
| 45 | extern u_char *session_id2; | 46 | extern u_char *session_id2; |
| 46 | extern u_int session_id2_len; | 47 | extern u_int session_id2_len; |
| 48 | extern Buffer loginmsg; | ||
| 47 | 49 | ||
| 48 | /* methods */ | 50 | /* methods */ |
| 49 | 51 | ||
| @@ -216,8 +218,17 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
| 216 | authenticated = 0; | 218 | authenticated = 0; |
| 217 | 219 | ||
| 218 | #ifdef USE_PAM | 220 | #ifdef USE_PAM |
| 219 | if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) | 221 | if (options.use_pam && authenticated) { |
| 220 | authenticated = 0; | 222 | if (!PRIVSEP(do_pam_account())) { |
| 223 | authenticated = 0; | ||
| 224 | /* if PAM returned a message, send it to the user */ | ||
| 225 | if (buffer_len(&loginmsg) > 0) { | ||
| 226 | buffer_append(&loginmsg, "\0", 1); | ||
| 227 | userauth_send_banner(buffer_ptr(&loginmsg)); | ||
| 228 | buffer_clear(&loginmsg); | ||
| 229 | } | ||
| 230 | } | ||
| 231 | } | ||
| 221 | #endif | 232 | #endif |
| 222 | 233 | ||
| 223 | #ifdef _UNICOS | 234 | #ifdef _UNICOS |
| @@ -810,6 +810,9 @@ mm_answer_pam_account(int sock, Buffer *m) | |||
| 810 | ret = do_pam_account(); | 810 | ret = do_pam_account(); |
| 811 | 811 | ||
| 812 | buffer_put_int(m, ret); | 812 | buffer_put_int(m, ret); |
| 813 | buffer_append(&loginmsg, "\0", 1); | ||
| 814 | buffer_put_cstring(m, buffer_ptr(&loginmsg)); | ||
| 815 | buffer_clear(&loginmsg); | ||
| 813 | 816 | ||
| 814 | mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); | 817 | mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); |
| 815 | 818 | ||
diff --git a/monitor_wrap.c b/monitor_wrap.c index 0d7a0e3bd..23857639b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
| @@ -72,6 +72,7 @@ extern struct monitor *pmonitor; | |||
| 72 | extern Buffer input, output; | 72 | extern Buffer input, output; |
| 73 | extern Buffer loginmsg; | 73 | extern Buffer loginmsg; |
| 74 | extern ServerOptions options; | 74 | extern ServerOptions options; |
| 75 | extern Buffer loginmsg; | ||
| 75 | 76 | ||
| 76 | int | 77 | int |
| 77 | mm_is_monitor(void) | 78 | mm_is_monitor(void) |
| @@ -716,6 +717,7 @@ mm_do_pam_account(void) | |||
| 716 | { | 717 | { |
| 717 | Buffer m; | 718 | Buffer m; |
| 718 | u_int ret; | 719 | u_int ret; |
| 720 | char *msg; | ||
| 719 | 721 | ||
| 720 | debug3("%s entering", __func__); | 722 | debug3("%s entering", __func__); |
| 721 | if (!options.use_pam) | 723 | if (!options.use_pam) |
| @@ -727,6 +729,9 @@ mm_do_pam_account(void) | |||
| 727 | mm_request_receive_expect(pmonitor->m_recvfd, | 729 | mm_request_receive_expect(pmonitor->m_recvfd, |
| 728 | MONITOR_ANS_PAM_ACCOUNT, &m); | 730 | MONITOR_ANS_PAM_ACCOUNT, &m); |
| 729 | ret = buffer_get_int(&m); | 731 | ret = buffer_get_int(&m); |
| 732 | msg = buffer_get_string(&m, NULL); | ||
| 733 | buffer_append(&loginmsg, msg, strlen(msg)); | ||
| 734 | xfree(msg); | ||
| 730 | 735 | ||
| 731 | buffer_free(&m); | 736 | buffer_free(&m); |
| 732 | 737 | ||